Trust, Safety and Cloud Computing – a contradiction?

If you believe what the providers tell you and listen to the euphoric forecast of analysts, Cloud Computing offers new ways of IT support to companies and Public Sector administrations. Everything seems to be possible in the cloud – from IT infrastructure, management, coordination over storing of data and information up to business applications. According to Accenture, Cloud Computing is the dynamic provisioning of IT capabilities (hardware, software, or services) from third parties over a network. [1]

However security and trust are high concerns and often block the adoption of cloud solutions. Business and personal data swirling around in the World Wide Web doesn’t give users much confidence and it´s hard to imagine, that such an “uncoupled” technology can comply with the high requirements of Data Protection. Can I trust my provider, when he for example has to comply with the Patriot Act? Are “guarantees” regarding the safety of my data only paper waste? What´s about the safety of my data and my right of self-determination regarding the usage of data, which end up however at Amazon®, Google™ or Facebook® without my knowledge.

How can I benefit from the advantages of Cloud Computing and comply with the required safety and compliance requirements anyway?

We tackled this question together with our partners Microsoft Deutschland GmbH and Atos IT Solutions and Services GmbH (formerly Siemens IT Solutions and Services) in a business relevant showcase project. To make it even more interesting and to design the requirements as realistic as possible, we decided to choose a real world Public Sector scenario.

In the showcase, a company relocates its registered headquarters from one city to another. As a result, all the documents filed in the commercial register also need to be relocated. Previously, all the documents had to be created manually and entered in the registers of the new authority responsible for the company – a process involving several steps. One can easily imagine how many of these incidents have to be processed every year.

The potentials of Cloud Services can actually be realized even in this business process! The recurrent and common process is developed as “public Cloud Process” as defined by E-Government and is provided on a Microsoft Windows Azure™ public Cloud infrastructure. All data, information and documents can be managed – according to the requirements – in a secure container that can be exchanged through many different communication channels (public Cloud, Government Cloud, private Cloud or peer-to-peer) or – if applicable – be transferred in the existing IT infrastructure directly after the user interaction. This “data” channel is separated from the “workflow” channel.

Realization in the Showcase

Both involved authorities exchange the data with the help of the cloud service. The one previously responsible for managing the company record makes the documents available via an Office Business Gateway (OBG) based solution directly out of the Document Management System. The solution hands and provides this multiple times encrypted package (area 1: document layer, area 2: record layer, area 3: communication information) to the cloud. As a result the new local court gets a notification and the necessary access information to the public Cloud process via secured e-mail, analyzes the information from area 3 and – if authorized – has direct access to the data, information and documents and can handle the case immediately. If the recipient uses an OBG solution as well, he is able to transfer the record easily from Outlook® into his own infrastructure.

The public administration cuts its operating and process costs considerably thanks to less effort in terms of personnel, communication and time, as well as reducing the time the processing time for the local courts. A study from the Fraunhofer Institute conducting a customer project in the State of Hessen in Germany assigned by Microsoft® came to the same conclusion. Result: “The net processing time has been reduced by two-thirds and the quality (through the validity of data) has improved at the same time.” [2]

But let´s return to the topics security and trust. Above the provision of data was described as “encrypted in the Cloud”. An encryption of sensitive data has to have a high complexity in order to avoid or mitigate the risk of unauthorized access. Therefore we realized different security levels with an explicit separation of process and exchanged information (documents and data). Workflows with ordinary, encrypted user data can be processed in the Public Cloud (Azure™), sensitive data (such as documents) can be transferred within a private cloud environment. Therefore a multi-level security concept can be realized depending on individual requirements.

Combionic Cloud Security architecture

In order to realize the project we brought together several of our technologies and know-how as well as products of our partners Microsoft and Atos IT Solution and Services (formerly Siemens IT Solutions and Services). Microsoft supplied the cloud-based Azure platform which enables the processes to be standardized and automated. Atos IT Solutions and Services GmbH (formerly Siemens IT Solutions and Services) contributed its expertise with electronic files to the joint project, Combionic and Microsoft implemented the business process based on the Azure platform and integrated all involved connectors.

Watch the demo video:

[2] See Wirtschaftlichkeit und Interoperabilität des ‚Modernen Verwaltungsarbeitsplatz‛ (MVAP) an Musterprozessen im Arbeitsschutz Wiesbaden Fraunhofer Instituts, Fraunhofer Institut für offene Kommunikationssysteme und Fraunhofer Institut für Arbeitswirtschaft und Organisation, 2009.